UK Subject Access Request Time Limits: GDPR Response Deadlines

If you run a small business, a subject access request (often shortened to “SAR”) can feel like it arrives out of nowhere - and suddenly you’re asking: how long do we have to respond?

The good news is that UK GDPR sets a clear baseline. The tricky part is that the subject access request response time isn’t always as simple as adding one month to today’s date. There are rules about when the clock starts, when you can extend, what to do if the request is unclear, and what happens if you miss the deadline.

Below, we break down the subject access request time limits in the UK in plain English, with a practical approach for busy business owners who want to stay compliant without derailing operations. This article is general information only, and isn’t a substitute for legal advice on your specific circumstances.

What Is A Subject Access Request (SAR) And Why Do Businesses Get Them?

A subject access request is a request from an individual (the “data subject”) asking you to confirm whether you process their personal data and, if so, to provide them with access to that data (plus certain supporting information).

For small businesses, SARs commonly come from:

• Employees and ex-employees (for example, during a dispute or after disciplinary action)
• Customers (for example, after a complaint or refund issue)
• Suppliers or contractors (for example, after a relationship breaks down)
• Job applicants (for example, after an unsuccessful recruitment process)

A SAR doesn’t need to use specific words like “subject access request” or “UK GDPR” to count. If someone asks for “all the information you hold about me” (including by email or messaging), you should treat it as a potential SAR and start thinking about the relevant subject access request time limit.

As a business, SAR compliance is part of your wider privacy obligations. That includes having the right documents and practices in place - for example, a clear Privacy Policy that explains what you do with personal data, and how people can exercise their rights.

Subject Access Request Time Limit Under UK GDPR: The 1 Month Rule

In most cases, the subject access request time limit is:

You must respond without undue delay and within 1 month of receiving the request.

This “1 month” deadline comes from the UK GDPR (and is supported by the Data Protection Act 2018 framework in the UK).

What Does “1 Month” Actually Mean?

It’s not always “30 days”. In practice, “one month” generally means you respond by the same date in the next month.

For example:

• SAR received on 5 March → deadline is 5 April
• SAR received on 31 January → deadline is usually the last day of February (or 29 February in a leap year)

If the deadline lands on a weekend or bank holiday, it’s wise to treat the last working day before as your internal target, so you don’t get caught out by practical delays.

What Counts As “Responding”?

For a SAR response, “responding” typically means:

• confirming whether you process their personal data
• providing a copy of the personal data (unless an exemption applies)
• providing required supplementary information (like why you process it, how long you keep it, and who you share it with)

It’s not enough to say “we’re looking into it” by the deadline. The expectation is that you provide the actual SAR response within the subject access request time limit - unless you have a lawful basis to extend (more on that below).

When Does The SAR Clock Start (And Can You Pause It)?

One of the biggest causes of missed deadlines is confusion about when the subject access request time starts.

As a general rule, the clock starts when you receive the request.

But there are a few practical “pause points” that matter for businesses.

1) If You Need To Verify Identity

If you reasonably need more information to confirm the requester’s identity, you can ask for it. In that case, the one-month period will generally run from when you receive the additional information you reasonably need to verify their identity (so long as you ask promptly).

This is especially relevant if:

• you don’t have an existing relationship with the requester
• the request comes from a new email address
• the request is made on behalf of someone else
• you hold sensitive personal data and need to be extra careful

Practical tip: Don’t overdo it. You should only request ID where it’s genuinely necessary and proportionate.

2) If The Request Is Unclear And You Need Clarification

If someone sends a very broad request, you can ask them to clarify what they want (for example, “emails between these dates” or “HR file documents”). If you genuinely need clarification to respond, the one-month period will generally run from when you receive the additional information you reasonably need (again, assuming you ask promptly).

That said, you should be careful here. A SAR can be broad, and you can’t refuse it just because it’s inconvenient. If you ask for clarification, it’s usually best to still begin reasonable searches while you wait, so you don’t lose time.

3) If You Need To Locate Data Across Different Systems

This doesn’t extend the deadline on its own, but it’s why you should have a repeatable internal process. Many small businesses store personal data across:

• email inboxes
• HR platforms
• CRM tools
• shared drives (Google Drive / SharePoint)
• accounting tools
• support ticketing systems
• messaging apps

Where possible, have clear data storage rules and retention practices, because the longer you keep personal data “just in case”, the harder it can be to respond within the subject access request time limit. (This links closely to your broader approach on data retention periods.)

Can You Extend The Subject Access Request Time Limit?

Yes - but only in specific situations.

UK GDPR allows you to extend the subject access request time limit by up to two further months (so, up to a total of three months) where the request is complex or you have received a number of requests from the individual.

What Counts As “Complex”?

There isn’t a single definition, but complexity might include:

• large volumes of data spread across multiple systems
• data that requires careful redaction (for example, third-party personal data)
• data involving legal privilege issues
• records that require detailed review to apply exemptions properly

Important: If you extend the deadline, you must tell the requester within the original one-month period and explain why you need more time.

In other words: you can’t wait until day 40 and then decide you needed an extension. If you think you’ll need extra time, make that call early and communicate it clearly.

What Businesses Can (And Can’t) Disclose In A SAR Response

Many small businesses worry that responding to a SAR means handing over “everything we’ve ever said” about the person, no matter what. That’s not quite right.

You generally need to disclose the requester’s personal data - but there are important limits and exemptions, and you may need to redact information.

Third-Party Personal Data

If documents contain personal data about other people (for example, other employees, customers, witnesses, or managers), you may need to:

• redact third-party names and identifiers, or
• consider whether you can disclose with consent, or
• balance rights and freedoms where consent isn’t possible

Legal Professional Privilege

Communications that attract legal professional privilege (for example, confidential legal advice) are commonly withheld.

References

References can be tricky. Depending on the context, you may need to disclose personal data contained in a reference unless a specific exemption applies (for example, where the reference is given in confidence for employment, training, or education purposes under the Data Protection Act 2018).

Internal Management Information And Exemptions

There are also exemptions under the Data Protection Act 2018 that may apply depending on context (for example, where disclosure would prejudice certain regulatory or crime-related functions).

Because these issues are nuanced, it’s worth understanding what can be withheld before you respond. In practice, many businesses get stuck here because they’re unsure what they’re allowed to redact. This is where a guide like what employers can withhold is useful as a starting point.

Tip for avoiding delays: Build “review and redaction time” into your SAR workflow. The search is only half the job - reviewing what you’ve found is often what takes the most time.

A Practical Step-By-Step SAR Process For Small Businesses (So You Hit The Deadline)

When the subject access request time limit is ticking, it helps to have a simple process you can repeat.

Step 1: Recognise The SAR And Log It Immediately

As soon as you spot a SAR (even if it’s informal), log:

• date received
• who received it (and which inbox/account)
• the requester’s details
• the deadline (and any internal earlier target date)

If you have a central privacy inbox or ticketing system, route it there right away.

Step 2: Confirm Identity (If Needed) And Clarify Scope (If Helpful)

If identity is unclear, ask for reasonable proof early. If the SAR is broad, consider whether asking for clarification will help you provide a faster, more useful response - but don’t use this as a stalling tactic.

Step 3: Plan Your Data Search

List the data sources you need to search. For many small businesses, that includes:

• Email accounts (including shared inboxes)
• HR folders and payroll records
• CRM records and customer support logs
• Shared drives and project tools
• Security and access logs (if relevant)

If the SAR comes from an employee or ex-employee, you’ll often need to coordinate with HR and management. (If you’re tightening up your HR foundations generally, having a solid Employment Contract and staff policies can make your internal processes much easier to manage.)

Step 4: Review, Redact, And Apply Exemptions Carefully

This is where you’ll decide:

• what is the requester’s personal data
• what includes third-party data that needs redaction
• what is privileged or exempt
• how you’ll present the information (PDF bundle, spreadsheet, extracts, etc.)

If the SAR is contentious (for example, tied to a dispute), getting legal input early can save you from accidentally disclosing something you shouldn’t, or withholding something you should disclose.

Step 5: Prepare Your Response Pack And Cover Letter

A good SAR response usually includes:

• a clear covering message explaining what you’re providing
• the categories of data you hold and the purposes for processing
• recipients or categories of recipients you share data with
• retention periods (or criteria for deciding them)
• the personal data itself (in an accessible format)

You also need to tell the requester about their rights (including the right to complain to the ICO).

Step 6: Deliver Securely And Keep An Audit Trail

Make sure you send the response securely. Depending on sensitivity, that might mean encryption, password-protected files, or a secure portal.

Also keep a record of:

• what you disclosed
• what you withheld and why
• dates of key steps and communications

If you ever need to justify your approach, that paper trail matters.

And if you’re unsure about the practical deadlines and how they’re calculated in real life, it can help to sanity-check against a deadline-focused guide like SAR response timescales.

Common SAR Deadline Mistakes (And How To Avoid Them)

Most missed deadlines aren’t caused by bad intentions - they happen because a business is busy and the SAR doesn’t look “urgent” until it suddenly is.

Here are some common pitfalls we see:

• Not recognising a SAR: Treat “send me everything you hold on me” as a SAR even if it’s informal.
• Starting too late: If you wait two weeks to begin searching, you’ve already burned a big chunk of the subject access request time limit.
• No single owner internally: Assign one person to coordinate the response and chase inputs.
• Forgetting about third-party data: Redaction takes time - don’t leave it until the last few days.
• Over-collecting and over-retaining data: The more scattered your records, the harder SAR compliance becomes.
• Assuming it’s always free (or always chargeable): Most SARs must be handled free of charge, but there are limited situations where a fee may apply (for example, manifestly unfounded/excessive requests). If cost is on your mind, it’s worth understanding subject access request cost rules.

If your business handles sensitive data regularly (employee records, health info, surveillance/CCTV footage, etc.), your SAR process should be especially careful and consistent.

Key Takeaways

• The UK GDPR subject access request time limit is usually 1 month from receiving the request, and you must respond without undue delay.
• You can extend the deadline by up to two additional months for complex requests or where multiple requests are made - but you must inform the requester within the original month.
• The one-month time limit may run from when you receive any additional information you reasonably need to verify identity or clarify the request, but you should ask for that information promptly and proportionately.
• You don’t always have to disclose everything - third-party data, legal professional privilege, and certain statutory exemptions may apply, and careful redaction is often required.
• A repeatable internal SAR workflow (log, search, review/redact, respond securely) is the best way to hit deadlines consistently.
• Good privacy foundations (including clear notices and sensible retention) make SARs faster and less disruptive for small businesses.

If you’d like help responding to a SAR, setting up a practical GDPR process, or reducing your risk around data requests, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.